CVE-2024-29371
Denial-of-Service in jose4j via Malicious JWE Token Decompression
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jose4j | jose4j | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1259 | The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in jose4j before version 0.9.5 allows an attacker to create a malicious JSON Web Encryption (JWE) token with an extremely high compression ratio. When the server processes this token, it causes excessive memory allocation and processing time during decompression, leading to a Denial-of-Service (DoS) condition.
How can this vulnerability impact me? :
The impact of this vulnerability is a Denial-of-Service (DoS) condition on the server processing the malicious JWE token. This means the server could become unresponsive or crash due to excessive resource consumption caused by decompressing the crafted token.
What immediate steps should I take to mitigate this vulnerability?
Upgrade jose4j to version 0.9.5 or later to prevent processing of malicious JWE tokens that cause Denial-of-Service conditions.